If you're comfortable with it and the client is aware and has agreed to you using beta versions in their production environment, then there is nothing wrong with it.
The other utms that I know of which market https security without needing certificates installed, strictly do blocking based on URL only, but cannot scan within the actual packets.
One way of deploying the certificate without AD, is to have client systems within the LAN (behind Astaro) navigate to http://passthrough.fw-notify.net/cacert.pem. They download and install the certificate without being a member of the domain or using AD.
An option for occasionally present employees or contractors is to use separate proxy profiles, where you can exclude certain groups from https scanning.
There was trick that I used, before the https scanning feature was added, to block certain https sites. I'll use gmail as an example. Create a new network definition of the type DNS Group (because gmail is mosted on multiple server clusters and from multiple IP addresses) and for the hostname put in mail.google.com. Now create a packet filter rule to block all https (443) for this DNS Group. It's blocked. [:)]
As you mention, Application Control in 8.200 will solve many of these difficulties. The original target for GA release was July. I'm not certain if this is still the case, but it should be close. It won't be too long now.
If you're comfortable with it and the client is aware and has agreed to you using beta versions in their production environment, then there is nothing wrong with it.
The other utms that I know of which market https security without needing certificates installed, strictly do blocking based on URL only, but cannot scan within the actual packets.
One way of deploying the certificate without AD, is to have client systems within the LAN (behind Astaro) navigate to http://passthrough.fw-notify.net/cacert.pem. They download and install the certificate without being a member of the domain or using AD.
An option for occasionally present employees or contractors is to use separate proxy profiles, where you can exclude certain groups from https scanning.
There was trick that I used, before the https scanning feature was added, to block certain https sites. I'll use gmail as an example. Create a new network definition of the type DNS Group (because gmail is mosted on multiple server clusters and from multiple IP addresses) and for the hostname put in mail.google.com. Now create a packet filter rule to block all https (443) for this DNS Group. It's blocked. [:)]
As you mention, Application Control in 8.200 will solve many of these difficulties. The original target for GA release was July. I'm not certain if this is still the case, but it should be close. It won't be too long now.
